feat: add token-based API access (v0.6.0)

- Add Token GORM model with UserID/Name/Token/LastUsedAt/ExpiresAt fields
- Add TokenManager controller: List/Create/Delete/Verify operations
- Add token HTTP handlers: list, create, revoke
- Update AuthVerify to support Bearer token auth; API tokens use "ust_" prefix to distinguish from session tokens
- Add one-step file upload endpoint: PUT /api/v1/upload/:filename (returns {"status":200,"data":{"code":"..."}})
- Add token management routes: GET/POST/DELETE /api/token
- Add /self page: personal center with account info, token management table, and curl usage guide
- Add "个人中心 / API Token" nav link for users with token_manage permission

🤖 Generated with [Qoder][https://qoder.com]

internal/handler/auth.go

@@ -3,6 +3,7 @@ package handler
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/loveuer/nf"
 	"github.com/loveuer/ushare/internal/controller"
@@ -11,8 +12,12 @@ import (
 
 func AuthVerify() nf.HandlerFunc {
 	tokenFn := func(c *nf.Ctx) (token string) {
-		if token = c.Get("Authorization"); token != "" {
-			return
+		if raw := c.Get("Authorization"); raw != "" {
+			// Strip "Bearer " prefix if present
+			if strings.HasPrefix(raw, "Bearer ") {
+				return strings.TrimPrefix(raw, "Bearer ")
+			}
+			return raw
 		}
 		token = c.Cookies("ushare")
 		return
@@ -24,7 +29,18 @@ func AuthVerify() nf.HandlerFunc {
 			return c.Status(http.StatusUnauthorized).JSON(map[string]string{"error": "unauthorized"})
 		}
 
-		session, err := controller.UserManager.Verify(token)
+		var (
+			session *model.Session
+			err     error
+		)
+
+		// API tokens have the "ust_" prefix; session tokens do not.
+		if strings.HasPrefix(token, model.TokenPrefix) {
+			session, err = controller.TokenManager.Verify(token)
+		} else {
+			session, err = controller.UserManager.Verify(token)
+		}
+
 		if err != nil {
 			return c.Status(http.StatusUnauthorized).JSON(map[string]string{"error": "unauthorized", "msg": err.Error()})
 		}